firewall {
   family inet {
      replace:
      /*
       * $Id: admin-l3-in.jcl $
       * $Date: Sat, June 14, 2014 22:14:09 PM $
       *
       * Admin L3 ACL Input Policy
       */
      filter admin-l3-in {
         /* 
          * Discard any ICMP fragmentation packet
          */
         term discard-icmp-frags {
            from {
               protocol icmp;
               is-fragment;
            }
            then {
               counter discard-icmp-frags;
               discard;
            }
         }
         /* 
          * Allowed icmp types
          */
         term accept-icmp {
            from {
               source-prefix-list {
                  admin-networks;
               }
               protocol icmp;
               icmp-type [0 3 8 11 30];
            }
            then {
               accept;
            }
         }
         /* 
          * Accept TCP established
          */
         term accept-tcp-established {
            from {
               source-prefix-list {
                  admin-networks;
               }
               protocol tcp;
               tcp-established;
            }
            then {
               accept;
            }
         }
         /* 
          * Accept udp ephemeral for known ports
          */
         term accept-udp-established {
            from {
               source-prefix-list {
                  admin-networks;
               }
               protocol udp;
               source-port [ bootpc bootps tftp ];
               destination-port 1024-65535;
            }
            then {
               accept;
            }
         }
         /* 
          * Accept Network protocol
          */
         term accept-network {
            from {
               protocol [ ah ospf vrrp ];
            }
            then {
               accept;
            }
         }
         /* 
          * Accept standard tcp services
          */
         term accept-services-tcp {
            from {
               source-prefix-list {
                  admin-networks;
               }
               destination-prefix-list {
                  services-networks;
                  proxy-servers;
               }
               protocol tcp;
               destination-port [ 3128 domain smtp ];
            }
            then {
               accept;
            }
         }
         /* 
          * Accept standard udp services
          */
         term accept-services-udp {
            from {
               source-prefix-list {
                  admin-networks;
               }
               destination-prefix-list {
                  services-networks;
                  test-prefix except;
               }
               protocol udp;
               destination-port [ 8000-8030 domain ntp ];
            }
            then {
               accept;
            }
         }
      }
   }
}
policy-options {

   replace:
   prefix-list admin-networks {
      10.8.8.0/24;
      10.8.16.0/24;
   }

   replace:
   prefix-list services-networks {
      10.8.9.0/24;
   }
}
